Blocking emails that claim to come from our

Glenn Steen glenn.steen at GMAIL.COM
Wed Dec 7 12:06:55 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

On 07/12/05, Dhawal Doshy <dhawal at netmagicsolutions.com> wrote:
> Drew Marshall wrote:
> > On Wed, December 7, 2005 10:43, Glenn Steen wrote:
> >
> >>On 07/12/05, Erick Perez <eaperezh at gmail.com> wrote:
> >>
> >>>what about MS and postfix?
> >>>where do i implement that?
> [SNIP]
> > The only thing I would add is that sometimes helo rejection can be too
> > harsh (There are loads of Exchange boxes that have strange AD domains
> > setup due to AD getting confused over internal and external DNS and end up
> > heloing with something like exchange.domain.internal which will be
> > rejected with 'reject_invalid_hostname') so you might chose to add
> > 'warn_if_reject' in front so you just log these and take a view on
> > rejection based on your hits (Like your best customer won't be rejected
> > for example!).
>
> minuscule correction
>
> 'reject_invalid_hostname' under 'smtpd_helo_restrictions' will simply
> reject the 'helo' if it contains any special / bad characters..
>
> The parameter you are talking about is reject_unknown_hostname, which
> will reject the mail if no valid A/MX record exists for the helo
> hostname and causes quite a few false positives.
>
> see: http://www.postfix.org/uce.html#smtpd_helo_restrictions
>
> - dhawal
>
Ah, that explains why the whole thing felt a bit alien.... And with
the amount of hosts _sending_ mail that don't have valid A/MX records,
I'd definitely apply the warn_if_reject to that feature.... AFAICR,
there is no absolute mandate (MUST) in any RFC regarding a sending
host having to even have a DNS record of any kind... I might be
recalling wrong though:-).

Just to clarify further: My suggested restrictions above_will not_
reject a stoopid AD(-dled) M-Sexchange host HELOing with
exchange.domain.internal.since this is a valid domain _string_ ...
Neither of these restrictions perform any form of DNS lookup.
Thank you Dahwal&Drew, for these clarifications/verifications.
I'm off for some nice pain-killers and honeyd tea.... Will hopefully
make head work again:-)

--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list